How much effort do you spend(or should spend) on security for none web-centric applications?

Question

Suppose the app you are working on is specially designed for a customer to meet a particular 'in-house' need, such as data processing of payroll information. This application will not be distributed publicly and will reside on internal networks only. (Theoretically the internal network should remain 100% secure.) How much effort should a developer spend on IA in this case? Lets say the database is SQL, would you worry about preventing an SQL injection attack in this situation?

I would love to hear some feedback from developers who work on none web-centric (I can't think of a better term right now, though none web-centric is not completely right. Its more like none distributed or none public or something along those lines.) type programs and how much effort do they put into security.

As an addendum, how would you justify this need to a manager type?

I am currently doing a case study of the necessity of IA for 'in house' software development so any answer would be greatly appreciated.

Answer 1

I would apply the "What's the worst thing that could happen" principle to this. If it means that personal information could be leaked and/or possible legal action could be taken upon the company, you should take the most appropriate action to secure the application.

Answer 2

I tend to take the perspective that no matter what the final use of the product might be, as the application developer I am responsible for ensuring the integrity of the application and its security. This provides two definite benefits:

1. Prevents bugs that you might not / will not foresee. For example the same code that escapes inputs before database queries also ensures that names like O'Leary won't break the application's normal execution.
2. Prevents malicious exploitation of #1.

Regarding #2, if you are working for the company as their developer and information is leaked by an employee using the system then they likely bear liability in that the software is their product. If you are working for a third party that is developing the software to be used by this company then if information is leaked from the company through security holes in your software, any guesses where they'll turn for answers? Either way, it all comes back to you as the application architect and someone with questions about why the application wasn't more secure to begin with.

I would suggest that you implement the most rigorous security possible given your constraints and the sensitivity of the data that you'll be safeguarding. If its high scores for WoW then I'd worry less than if I were designing an internal application for a bank.

Answer 3

I have been into the development of some in-house projects. It was an application for collecting the blood group details of the employees and some of their personal information. The security part was a bit ignored.

We got a mail from the Internal security team asking us to secure the application, since it had some personal information. It is possible that we accept vendors and expose the application and its always advised to develop the secure code.

Answer 4

As per most security questions the questions you need to ask are.

1. What are the assets you are protecting?
2. Who would want to get at these assets?
3. What is the cost to you/your client/your business if these assets are lost.

Payroll information you mentioned in the question would be the asset you are protecting, would any one whit in your network be interested and not authorised to access this information? What would you say if you found your work mate was being paid twice as much as you?. What would happen if someone managed to update this information would it leed to more money in their bank account?

It is these questions you need to ask when determining how much time to spend on security.